“It’s a misconception that CISOs need to have in depth technical knowledge – in fact, they need to understand people, processes and how security contributes to business outcomes, and be able to communicate that effectively to the board.”
Lee, please could you tell us more about your journey into security and to your role now as CISO for Dominos?
Of course, I’ve had a very varied journey, so I’ll try to condense it! I originally started out in customer service and account management, firstly in telecoms and then within the software industry. As part of my account management role, I was responsible for managing large software agreements for large UK public and private sector organisations. I remember one occasion where one of our customers was hit with one of the first worms and it completely took down their IT. That was a real trigger point for me that sparked my interest in security and started me on the long journey. Within this role I also learnt that, from the sales perspective, if I could understand the customer and provide a service that truly helped them, then everyone would win.
I spent a lot of time in the world of software and professional services, and I started to see that technology on its own won’t provide effective solutions or answers to business problems. You need to have people who understand how to select and use the technology, how to implement it properly, and that effective processes are central to this as well.
For a couple of years, I then began my own start-up and so became involved in many other aspects of the business, such as marketing. I learnt many valuable lessons, particularly around vendor partnering, and I often think that that’s why I’m often very sceptical and can see through many vendor promises now as a CISO, because I’ve been on the other side!
From the world of start-ups, I then moved to the multi-national Protiviti in a senior advisor capacity and then onto Hewlett Packard Enterprise as part of their global Security Operations Centre consulting function, helping large clients address their Detect and Respond opportunities for improvement. I then took the leap over the fence client-side taking on the role of head of technology and security operations, at Whitbread leading the teams looking after Premier Inn and Costa Coffee. Following an interim role at NFU Mutual, and just before lockdown in 2020, I was really pleased to join as CISO at Domino’s UK&I.
As you say, you’ve had a very varied journey Lee, and you've been involved in a range of industries, roles, and types of businesses. Do you think you look at things differently to other CISOs given your commercially rounded journey?
Yes, I think so. One of the biggest differences is the understanding that I don’t need to have an in-depth knowledge of every piece of technology, as I have a fantastic team of people who have those skills. Actually, it is much more important for me as a CISO to be able to understand what the business does and cares about. As I mentioned, I’ve run my own business, so I’ve been involved in marketing and sales among other aspects of the business, so I’ve seen first-hand how critical it is to understand how to achieve your commercial goals if you want to succeed. You won’t truly succeed as a CISO if you're trying to protect a business that you don’t understand.
I also think the skills so central to sales and marketing - positioning, messaging, budgeting and communications – are vitally important in the role of the CISO, particularly in managing your relationships with stakeholders and the wider business. For example, as part of your role you will need to work with your CIO and CFO, likely trying to convince them to give you more budget! By being able to fully understand what the business is trying to achieve, you’ll be able to have those conversations around the right investment decisions and how that can help them to achieve their overall business objectives.
CISOs that are brought up through standard tech streams often have extremely strong technical knowledge, but don’t have the experience of having these commercial conversations at board level. As CISOs, we need to be talking about the wider business, and the people and processes that sit behind the tech, to communicate effectively to stakeholders and to ensure that the business is managing it’s risk effectively.